Access brokers are making it easier for ransomware operators to attack businesses
A new business model has been uncovered that makes it much easier for attackers to gain access to business' networks


Cyber security researchers have uncovered a new underground business model dubbed 'access-as-a-service' in which access to an organisation's network is sold rather than an exploit or zero-day vulnerability.
So-called access brokers are selling direct access to a company's network in which they're already embedded via shared remote VPN connections. Attackers can pay different sums for varying levels of access.
The business model, discovered and detailed by Trend Micro, could lead to a new way for ransomware operators to launch attacks without having working exploit themselves.
Attackers are now able to buy their way into a network, paying only as much as they need for the right level of access to achieve their objective.
The business model relies on stolen credentials for access brokers to have a viable service and Trend Micro said businesses will have to place a greater emphasis on protecting credential theft to avoid future breaches.
"Access brokers in the criminal underground often advertise this service like it’s a cinema ticket: Somebody buys this ticket, and they get straight in," read the report. "In reality, however, things are a bit different.
RELATED RESOURCE
The best defence against ransomware
How ransomware is evolving and how to defend against it
"For example, what exactly do customers get in exchange for their money? Sometimes, it’s access to a web shell or a similar straightforward method of getting a command prompt into the compromised network. More often than not, however, it’s just a set of credentials and a VPN server to connect to."
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Remote Desktop Protocol (RDP) access and VPN-based access were the two most common products being advertised, primarily in the United States, Spain, Germany, France, and the UK.
After viewing more than a thousand adverts for services online, the most common targets Trend Micro observed were universities and schools (36%), 11% offered access to manufacturing firms and professional services, with other miscellaneous companies comprising the remainder.
Online adverts typically offer access to a company with a broad description such as 'big German energy company', offer details of the level of access available, type of access on offer (RDP or VPN), cost of the service, and in some cases details of the company's turnover and employee numbers.
Prices for services can range between a few US dollars for access to a single machine and six-digit sums for admin credentials to an entire business, but most dedicated brokers don't advertise their prices openly, according to the researchers.
Access brokers are typically advertising their products either on deep web criminal marketplaces, through a network of connections throughout underground forums, and in less common cases dedicated online shops are used for smaller-scale, single-machine access.
Trend Micro made several suggestions for businesses wary of being exploited using this new business model. Monitoring public breaches can be useful in determining if credentials may have been stolen and triggering a password reset for all staff if one is detected.
Enabling two-factor authentication (2FA) for remote staff will also help prevent remote access from criminals, as will closely monitoring user behaviour on the network.
For the most cautious, operating on a zero-trust model and assuming all staff have lost their passwords to criminals before is recommended, applying the necessary security measures where appropriate.

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.
-
Arrests made in hunt for hackers behind cyber attacks on M&S and Co-op
News The suspects remain in custody for questioning by officers from the NCA's National Cyber Crime Unit
-
Why does the US continue to grapple with full-fibre rollout?
In-depth Despite increased remote work and AI access demands, full-fiber rollout in the US continues to fall short
-
Everything we know about the Ingram Micro cyber attack so far
News A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operators
News A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attack
News A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector